Posted
by
Soulskillon Wednesday May 14, 2014 @04:05PM
from the protecting-against-all-but-the-dumbest-users dept.

An anonymous reader writes "BlackPhone was designed by Phil Zimmermann (inventor of PGP). The 4.7" display phone features a 2 GHz NVIDIA Tegra 4i ARM Cortex-A9 quad-core processor with 60 GPU cores, 1GB RAM and 16GB storage [more specs]. The OS is a customized version of Android called PrivatOS which offers encrypted calls, texts and emails that can't be unscrambled even by spy agencies. It also offers built-in resistance against malicious software which will be most welcomed for users worried about free Apps that are becoming increasingly invasive, if not pure data collection spyware for unknown 3rd parties. It's coming out this June, and many Fortune 50 companies have already ordered the phone to protect against industrial espionage."

Posted
by
Unknown Lameron Wednesday May 14, 2014 @01:18PM
from the virtual-arms-deals dept.

Daniel_Stuckey (2647775) writes with news that we may soon learn which countries were sold the FinFisher malware package to spy on their own citizens. "The UK's High Court ruled yesterday that HM Revenue and Customs acted 'unlawfully' when it declined to detail how it was investigating the export of digital spy tools created by a British company. Human rights group Privacy International is celebrating the decision of Mr. Justice Green, which means HMRC now has to reconsider releasing information on its investigation into controls surrounding the export of malware known as FinFisher, created by British supplier Gamma International. The widespread FinFisher malware family, also known as FinSpy, can carry out a range of surveillance operations, from snooping on Skype and Facebook conversations to siphoning off emails or files sitting on a device. It is supposed to benefit law enforcement in their investigations, but has allegedly been found in various nations with poor human rights records, including Bahrain and Ethiopia."

Posted
by
Unknown Lameron Wednesday May 14, 2014 @10:45AM
from the still-better-than-a-diebold-machine dept.

wiredmikey (1824622) writes "A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks. They also said the system's operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks. 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,' said U.S. computer scientist J. Alex Halderman, a co-author of the report released Tuesday. 'Either of these would be an attractive target for state-level attackers, such as Russia.'"
The source for the voting system is available for anyone to inspect. The Estonian National Electoral Committee released a statement dismissing the researchers claims: "At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. ... The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole. ... It is not feasible to effectively conduct the described attacks to alter the results of the voting. ... The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."

Posted
by
Soulskillon Wednesday May 14, 2014 @12:10AM
from the apple-can-afford-life-support-for-a-while dept.

Lucas123 writes: "The USB SuperSpeed+ spec (a.k.a. v3.1) offers up to 10Gbps throughput. Combine that with USB's new C-Type Connector, the specification for which is expected out in July, and users will have a symmetrical cable and plug just like Thunderbolt but that will enable up to 100 watts of power depending on the cable version. So where does that leave Thunderbolt, Intel's other hardware interconnect? According to some analysts, Thunderbolt withers or remains a niche technology supported almost exclusively by Apple. Even as Thunderbolt 2 offers twice the throughput (on paper) as USB 3.1, or up to 20Gbps, USB SuperSpeed+ is expected to scale past 40Gbps in coming years. 'USB's installed base is in the billions. Thunderbolt's biggest problem is a relatively small installed base, in the tens of millions. Adding a higher data throughput, and a more expensive option, is unlikely to change that,' said Brian O'Rourke, a principal analyst covering wired interfaces at IHS."

Posted
by
Soulskillon Tuesday May 13, 2014 @05:55PM
from the must-have-been-union dept.

rastos1 sends in a report about a significant bug fix for the Linux kernel (CVE-2014-0196).
"'The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device. 'This is the first serious privilege escalation vulnerability since the perf_events issue (CVE-2013-2049) in April 2013 that is potentially reliably exploitable, is not architecture or configuration dependent, and affects a wide range of Linux kernels (since 2.6.31),' Dan Rosenberg, a senior security researcher at Azimuth Security, told Ars in an e-mail. 'A bug this serious only comes out once every couple years.' ... While the vulnerability can be exploited only by someone with an existing account, the requirement may not be hard to satisfy in hosting facilities that provide shared servers, Rosenberg said."

Posted
by
Soulskillon Tuesday May 13, 2014 @03:50PM
from the place-your-wagers-now dept.

New submitter Drunkulus writes "Journalist Ira Winkler has an article about his personal run-in with the Syrian Electronic Army. While admitting that the SEA has succeeded in hijacking the Wall Street Journal's Twitter accounts and defacing the RSA conference website, he calls them immature, inept script kiddies in this Computerworld column. Quoting: 'These people purport to be servants of the genocidal dictator of Syria and came together to support him, but they wasted their hack on what amounted to cyberbullying. This is not behavior that the SEA's Syrian intelligence handlers would condone. The SEA wasted an opportunity to promote its message, while divulging previously unknown attack vectors. ... I don't think that sort of immaturity will go over well with the SEA's Syrian intelligence bosses. And that could have implications for the influence of the group in the future.'"

Posted
by
timothyon Tuesday May 13, 2014 @10:16AM
from the I-want-one dept.

First time accepted submitter Dimetrodon (2714071) writes "It is an unspoken rule of military procurement that any IT or communications technology will invariably be years behind what is commercially available or technically hobbled to ensure security. One case in point is the uncomfortably backronymed NeRD, or Navy e-Reader Device, an electronic book so secure the 300 titles it holds can never be updated. Ever."

Posted
by
timothyon Tuesday May 13, 2014 @09:27AM
from the they're-out-there dept.

An anonymous reader writes "A group of researchers from Carnegie Mellon University and Facebook has managed to get a concrete sense of just how prevalent SSL man-in-the-middle attacks using forged SSL certificates are in the wild. Led by Lin-Shung Huang, PhD candidate at Carnegie Mellon University and, during the research, an intern with the Facebook Product Security team, they have created a new method (PDF) for websites to detect these attacks on a large scale: a widely-supported Flash Player plugin was made to enable socket functionalities not natively present in current browsers, so that it could implement a distinct, partial SSL handshake to capture forged certificates."

Posted
by
samzenpuson Sunday May 11, 2014 @06:05PM
from the get-a-job dept.

First time accepted submitter stef2dotoh (3646393) writes "I've got about a year of computer science classes under my belt along with countless hours of independent online and tech book learning. I can put together a secure login-driven Web site using PHP and MySQL. (I have a personal project on GitHub and a personal Web site.) I really enjoyed my Web development class, so I've spent a lot of time honing those skills and trying to learn new technologies. I still have a ways to go, though. I've been designing Web sites for more than 10 years, writing basic PHP forms for about 5 or 6 years and only gotten seriously into PHP/MySQL the last 1 or 2 years on and off. I'm fluent with HTML and CSS, but I really like back-end development. I was hoping I might be able to get a job as a junior Web developer, but even those require 2+ years of experience and a list of technologies as long as my arm. Internships usually require students to be in their junior or senior year, so that doesn't seem to be an option for me. Recruiters are responding to my resume on various sites, but it's always for someone more experienced. Should I forget about trying to find a junior Web developer position after only one year of computer science classes?"

Posted
by
samzenpuson Sunday May 11, 2014 @09:27AM
from the to-the-hacking-station dept.

ClownP (1315157) writes in with this story about a hacker who did some of his work while aboard a nuclear aircraft carrier. "
A former sailor assigned to a US nuclear aircraft carrier and another man have been charged with hacking the computer systems of 30 public and private organizations, including the US Navy, the Department of Homeland Security, AT&T, and Harvard University.
Nicholas Paul Knight, 27, of Chantilly, VA, and Daniel Trenton Krueger, 20, of Salem, IL, were members of a crew that hacked protected computers as part of a scheme to steal personal identities and obstruct justice, according to a criminal complaint unsealed earlier this week in a US District Court in Tulsa, Oklahoma. The gang, which went by the name Team Digi7al, allegedly took to Twitter to boast of the intrusions and publicly disclose sensitive data that was taken. The hacking spree lasted from April 2012 to June 2013, prosecutors said."

Posted
by
Soulskillon Saturday May 10, 2014 @05:58PM
from the i'll-stick-with-a-dumb-tv,-thanks dept.

An anonymous reader writes "A article on The Register titled talks about a demo that was given in London last month by NCC Group where they turned a modern TV into an audio bug. 'The devices contain microphones and cameras that can be utilized by applications — Skype and similar apps being good examples. The TV has a fairly large amount of storage, so would be able to hold more than 30 seconds of audio – we only captured short snippets for demonstrations purposes. A more sophisticated attack could store more audio locally and only upload it at certain times, or could even stream it directly to a server, bypassing the need to use any of the device’s storage.' Given the Snowden revelations and what we've seen previously about older tech being deprecated, how can we protect ourselves with the modern devices (other than not connecting them to the Internet)?"

Posted
by
Soulskillon Saturday May 10, 2014 @11:33AM
from the you-can-trust-us dept.

An anonymous reader writes "The U.S. Department of Justice says it needs greater authority to hack remote computers in the course of an investigation. The agency reasons that criminal operations involving computers are become more complicated, and argues that its own capabilities need to scale up to match them. An ACLU attorney said, 'By expanding federal law enforcement's power to secretly exploit "zero-day"' vulnerabilities in software and Internet platforms, the proposal threatens to weaken Internet security for all of us.' This is particularly relevant in the wake of Heartbleed — it's been unclear whether the U.S. government knew about it before everyone else did. This request suggests that the DOJ, at least, did not abuse it — but it sure looks like they would've wanted to. You can read their request starting on page 499 of this committee meeting schedule."

Posted
by
timothyon Friday May 09, 2014 @11:59PM
from the what-you-intend-to-practice dept.

First time accepted submitter ChelleChelle2 (2908449) writes "Edward Snowden's release of classified material exposing the existence of numerous global surveillance programs (obtained while working as an NSA contractor at Booz Allen Hamilton) has been referred to as 'the most damaging breach of secrets in U.S. history.' Regardless of whether one choses to champion or condemn Snowden's actions, it is apparent that the NSA needs to dramatically rework its security measures. In this article Bob Toxen, renown author of several books and articles on Linux Security, discusses the security practices that could have stopped Snowden. Equally interesting, he weighs in on the constitutionality and morality of the NSA's spying on all Americans."

Posted
by
Soulskillon Friday May 09, 2014 @03:53PM
from the name-your-servers-after-game-of-thrones-characters dept.

An anonymous reader writes "Every month we submit status reports to upper management. On the infrastructure side, these reports tend to be 'Hey, we met our service level agreements ... again.' IT infrastructure is now a lot like the electric company. Nobody thanks the electric company when the lights come on, but they have plenty of colorful adjectives to describe them when the power is off.

What is the best way to construct a compelling story for upper management so they'll appreciate the hard work that an IT department does? They don't seem particularly impressed with functioning systems, because they expect functioning systems. The extensive effort to design and implement reliable systems has also made IT boring and dull. What types of summaries can you provide upper management to help them appreciate IT infrastructure and the money they spend on the services it provides?"

Posted
by
Soulskillon Friday May 09, 2014 @03:10PM
from the more-than-one-way-to-skin-schrodinger's-cat dept.

KentuckyFC writes: "Random numbers are the lifeblood of many cryptographic systems and demand for them will only increase in the coming years as techniques such as quantum cryptography become mainstream. But generating genuinely random numbers is a tricky business, not least because it cannot be done with a deterministic process such as a computer program. Now physicists have worked out how to use a smartphone camera to generate random numbers using quantum uncertainties. The approach is based on the fact that the emission of a photon is a quantum process that is always random. So in a given unit of time, a light emitter will produce a number of photons that varies by a random amount. Counting the number of photons gives a straightforward way of generating random numbers. The team points out that the pixels in smartphone cameras are now so sensitive that they can pick up this kind of quantum variation. And since a camera has many pixels working in parallel, a single image can generate large quantities of random digits. The team demonstrates the technique in a proof-of principle experiment using the 8-megapixel camera on a Nokia N9 smartphone while taking images of a green LED. The result is a quantum random number generator capable of producing digits at the rate of 1 megabit per second. That's more than enough for most applications and raises the prospect of credit card transactions and encrypted voice calls from an ordinary smartphone that are secured by the laws of quantum physics."

Posted
by
Soulskillon Friday May 09, 2014 @10:15AM
from the server-security-hipsters-don't-follow-the-crowd dept.

DavidGilbert99 writes: "The Heartbleed Bug cause widespread panic from internet users around the world worried their sensitive information was being targeted. While system administrators were warned to patch their systems, a security researcher notes that 300,000 servers remain vulnerable to the heartbleed flaw a full month later. He said, 'Last month, I found 1-million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5-million systems supporting the "heartbeat" feature, with all but the 300k patched. This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.' A developer at Vivaldi Technologies AS also pointed out that a significant number of server administrators botched their response, going from safe to vulnerable."

Posted
by
Soulskillon Friday May 09, 2014 @09:33AM
from the full-conversion-mod dept.

An anonymous reader writes "It's one of the biggest migrations in the history of Linux, and it made Steve Ballmer very angry: Munich, in southwest Germany, has completed its transition of 15,000 PCs from Windows to Linux. It has saved money, fueled the local economy, and improved security. Linux Voice talked to the man behind the migration: 'One of the biggest aims of LiMux was to make the city more independent. Germany’s major center-left political party is the SPD, and its local Munich politicians backed the idea of the city council switching to Linux. They wanted to promote small and medium-sized companies in the area, giving them funding to improve the city’s IT infrastructure, instead of sending the money overseas to a large American corporation. The SPD argued that moving to Linux would foster the local IT market, as the city would pay localcompanies to do the work.' (Linux Voice is making the PDF article free [CC-BY-SA] so that everyone can send it to their local councilors and encourage them to investigate Linux)."

Despite these significant changes the amended bill has been endorsed by the ACLU and the EFF as a first step and the most promising path towards reigning in government surveillance. The two organizations called for further Congressional measures to tighten control of surveillance authorities including an explicit definition of the term 'selector,' a reduction in the number of hops from 2 to 1 under most circumstances and the closing the loophole that allows searches of Americans' data inadvertently collected thru Section 702.

The bill now proceeds to the House Intelligence Committee, who has advanced its competing bill, the FISA Transparency and Modernization Act (HR 4291). The committee will mark up both bills on the same day, beginning at 10am Thursday, behind closed doors."

Posted
by
Soulskillon Wednesday May 07, 2014 @04:07PM
from the for-generous-definitions-of-the-word-smart dept.

An anonymous reader writes "The op-co.de blog has a post about the incredibly poor job Samsung did securing its new NX300 'smart camera.' One of the camera's primary features is that it can join Wi-Fi networks — this lets it upload photos, but it also lets you use your smartphone to access the photos on the camera directly. You can also connect with NFC. Unfortunately, the way they set it up is extremely insecure. First, there's an NFC tag that tells the camera where to download the app, and also the name of the access point set up by the camera. 'The tag is writable, so a malicious user can easily 'hack' your camera by rewriting its tag to download some evil app, or to open nasty links in your web browser, merely by touching it with an NFC-enabled smartphone.' Things aren't much better with Wi-Fi — a simple port scan reveals that the camera is running an unprotected X server (running Enlightenment). When the camera checks for new firmware, it helpfully reports your physical location. Its software also sets up unencrypted access points."

Posted
by
Soulskillon Wednesday May 07, 2014 @03:08PM
from the 123456-becomes-1234567 dept.

An anonymous reader writes "Today is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it. To that end, last year Intel started an action-oriented campaign to raise user awareness regarding password problems, and this year their initiative has a new digital home. Passwordday.org provides the Password Blaster (a videogame that teaches good passwords using real leaked passwords), the Password Strength Meter, links to McAfee's Heartbleed Test tool, offers animated educational GIFs and tips and tricks for upgrading your passwords."

Posted
by
Soulskillon Wednesday May 07, 2014 @02:45PM
from the finding-new-ways-to-hide dept.

An anonymous reader writes "Almost every modern abusive relationship has a digital component, from cyberstalking to hacking phones, emails, and social media accounts, but women's shelters increasingly have found themselves on the defensive, ill-equipped to manage and protect their clients from increasingly sophisticated threats. Recently the Tor Project stepped in to help change that. Andrew Lewman, executive director of the project, 'thinks of the digital abuse epidemic like a doctor might consider a biological outbreak. "Step one, do not infect yourself. Step two, do not infect others, especially your co-workers. Step three, help others," he said. In the case of digital infections, like any other, skipping those first two steps can quickly turn caretakers into infected liabilities. For domestic violence prevention organizations that means ensuring their communication lines stay uncompromised. And that means establishing a base level of technology education for staff with generally little to no tech chops who might not understand the gravity of clean communication lines until faced with a situation where their own phone or email gets hacked.'"

Posted
by
timothyon Tuesday May 06, 2014 @10:48AM
from the look-for-antivirus-with-the-rms-serial-of-approval dept.

judgecorp (778838) writes "Symantec says anti-virus is dead but the company — the world's largest IT security firm — still makes 40 percent of its revenue there. AV now lets through around 55 percent of attacks, the company's senior vice president of information security told the Wall Street Journal. Meanwhile, other security firms including FireEye, RedSocks and Imperva are casting doubt on AV, suggesting a focus on data loss prevention might be better."

Posted
by
timothyon Tuesday May 06, 2014 @09:27AM
from the or-at-least-a-kerfuffle dept.

arglebargle_xiv (2212710) writes "As most people will have heard, Microsoft will end support for anyone who hasn't upgraded to Win8.1 Update 1 on May 8. What fewer people have heard is that large numbers of users can't install the 8.1 Update, with over a thousand messages in this one thread alone, and that's for tech geeks rather than home users who won't find out about this until their PC becomes orphaned on May 8. Check your Windows Update log, if you've got a "Failed" entry next to KB2919355 then your PC will also become orphaned after May 8."

Posted
by
samzenpuson Monday May 05, 2014 @03:24PM
from the brand-new dept.

crookedvulture (1866146) writes "AMD just revealed that it has two all-new CPU cores in the works. One will be compatible with the 64-bit ARMv8 instruction set, while the other is meant as an x86 replacement for the Bulldozer architecture and its descendants. Both cores have been designed from the ground up by a team led by Jim Keller, the lead architect behind AMD's K8 architecture. Keller worked at Apple on the A4 and A4 before returning to AMD in 2012. The first chips based on the new AMD cores are due in 2016."

Posted
by
timothyon Monday May 05, 2014 @05:11AM
from the small-steps-add-up dept.

An anonymous reader writes "Valve Software has sponsored some interesting improvements developed by LunarG for the Mesa OpenGL library on Linux for deferred and threaded GLSL shader compilation. What these changes mean for users of the open-source Linux graphics drivers when running their favorite games is that OpenGL games now load a lot faster. As an example, the time from starting Dota 2 until the time actually being within the game is reduced by about 20 seconds on an Intel system. While Direct3D has offered similar functionality for a while, OpenGL has not, which has given it a bad reputation with regard to game load times until all shaders are compiled and cached — fortunately it's now addressed for OpenGL if using the Mesa Linux graphics drivers on a supported game."

Posted
by
timothyon Sunday May 04, 2014 @11:31PM
from the risk-versus-reward-baby dept.

Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt:
"For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."

Posted
by
timothyon Sunday May 04, 2014 @07:23PM
from the how-many-do-you-count-right-now? dept.

An anonymous reader writes "EFF is launching a new extension for Firefox and Chrome called Privacy Badger. Privacy Badger automatically detects and blocks spying ads around the Web, and the invisible trackers that feed information to them. You can try it out today."

Posted
by
timothyon Sunday May 04, 2014 @06:09PM
from the teenagers-are-pretty-darn-creative dept.

wiredmikey (1824622) writes "As Europe powered up its most ambitious ever cybersecurity exercise this month, doubts were being raised over whether the continent's patchwork of online police was right for the job. The exercise, called Cyber Europe 2014, involved 200 organizations and 400 cybersecurity professionals from both the European Union and beyond. Yet some critics argued that herding together normally secretive national security agencies and demanding that they spend the rest of 2014 sharing information amounted to wishful thinking. Others questioned whether the law enforcement agencies taking part in the drill should be involved in safeguarding online security, in the wake of American whistleblower Edward Snowden's revelations of online spying by western governments. Eurostat figures show that, by January 2012, only 26 percent of EU enterprises had a formally defined information technology security plan in place. One industry insider said the view in Brussels is that EU cybersecurity was "like teenage sex: everyone says they are doing it but not that many actually are.""

Posted
by
timothyon Sunday May 04, 2014 @10:29AM
from the conditionally-readable-headline dept.

GottaBeMobile offers a better explanation than many other reports of a recent Google upgrade (some users would say more of a lateral move) that makes offline document creation and editing a first-class option for users of Google's office apps, but removes editing capabilities from Google Drive per se. Instead of creating or editing documents directly through Drive, users will instead be able to do this (including offline) with a dedicated app called Docs and Sheets. The article explains a few ways in which the new configuration is confusing, including this one: "Splitting out the editing functionality from Google Drive into the new Apps certainly seems odd given that fundamentally there are no new or different editing features offered in the new Google Docs and Google Sheets standalone Apps. Some users won’t appreciate having to download the new stand alone Apps to replace previous functionality, especially limited functionality."

Posted
by
timothyon Saturday May 03, 2014 @10:05PM
from the leave-your-comment-in-the-form-of-an-exploit dept.

dwheeler (321049) writes "Heartbleed was bad vulnerability in OpenSSL. My article How to Prevent the next Heartbleed explains why so many tools missed it... and what could be done to prevent the next one. Are there other ways to detect these vulnerabilities ahead-of-time? What did I miss?"

Posted
by
timothyon Saturday May 03, 2014 @08:07PM
from the but-magic-lantern dept.

Iddo Genuth (903542) writes "Photographer and videographer Alec Weinstein was in the market for a new smartphone. He realized that the new Samsung Galaxy S5 and the Note 3 both have 4K video recording capabilities and decided to compare those to his 1080p 5D MKIII pro DSLR camera – the results are extremely interesting — Can you tell the difference between a Canon 5D MKIII shooting 1080p video and a Samsung Galaxy Note III smartphone shooting 4K video?"

Posted
by
timothyon Saturday May 03, 2014 @08:29AM
from the superheroes-of-the-real-world dept.

jones_supa (887896) writes "After the Heartbleed fiasco, John Walsh brings attention to the lack of proper manpower and funding to run various open source projects. Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced. 'OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers. The total labor pool for OpenSSL maybe adds up to two fulltime developers. Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do.' Theo de Raadt has also spoken about too much donations coming from the little people instead of companies, and not too long ago even the OpenBSD project almost couldn't pay its power bills. Walsh goes on to ponder security of open source software, the 'many eyes' phenomenon, dedicating people to review code, and quality control."

Posted
by
timothyon Saturday May 03, 2014 @01:02AM
from the no-moving-parts dept.

Lucas123 (935744) writes "SanDisk has announced what it's calling the world's highest capacity 2.5-in SAS SSD, the 4TB Optimus MAX line. The flash drive uses eMLC (enterprise multi-level cell) NAND built with 19nm process technology. The company said it plans on doubling the capacity of its SAS SSDs every one to two years and expects to release an 8TB model next year, dwarfing anything hard disk drives can ever offer over the same amount of time. he Optimus MAX SAS SSD is capable of up to 400 MBps sequential reads and writes and up to 75,000 random I/Os per second (IOPS) for both reads and writes, the company said."

Posted
by
timothyon Friday May 02, 2014 @07:10PM
from the giveth-and-taketh-away dept.

An anonymous reader writes "Apple has removed encrypted email attachments from iOS 7. Apple said back in June 2010 in regards to iOS 4.0: 'Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.' Not anymore."

Posted
by
Soulskillon Friday May 02, 2014 @05:07PM
from the another-day-another-flaw dept.

jones_supa writes: "A notable security vulnerability has been discovered which impacts both OAuth and OpenID, which are software packages that provide a secure delegated access to websites. Wang Jing, a Ph.D student at the Nanyang Technological University in Singapore, discovered that the 'Covert Redirect' flaw can masquerade as a login popup based on an affected site's domain. Covert Redirect is based on a well-known exploit parameter. For example, someone clicking on a malicious phishing link will get a popup window in Facebook, asking them to authorize the app. Instead of using a fake domain name that's similar to trick users, the Covert Redirect flaw uses the real site address for authentication. If a user chooses to authorize the login, personal data will be released to the attacker instead of to the legitimate website. Wang did already warn a handful of tech giants about the vulnerability, but they mostly dodged the issue. In all honesty, it is not trivial to fix, and any effective remedies would negatively impact the user experience. Users who wish to avoid any potential loss of data should be careful about clicking links that immediately ask you to log in to Facebook or Google, and be aware of this redirection attack."

Posted
by
Soulskillon Friday May 02, 2014 @02:19PM
from the your-computer-is-broadcasting-an-ip-address dept.

Capt.Michaels writes: "I need to start sending security alerts and warnings to employees at my somewhat sizable company. My problem: I'm not sure how to send these alerts without freaking everyone out and causing the help desk to get flooded with phone calls. For example, let's take the current Internet Explorer exploit that caused US-CERT to recommend switching browsers. I don't want everyone killing our limited help desk with ridiculous questions like, 'I downloaded $New_Browser, how can I get my toolbar? How do I bookmark things in this browser? Can you tell me which browser you recommend?' Simply put: some vulnerabilities are worth major changes, but many aren't. If we switched software every time a new vulnerability came out, we'd never get anything done. Sooner or later, a patch will come out, and everything will be back to normal. But how do I communicate to end users that they should be aware of an issue and take extra care until it's fixed, without causing panic?"

Posted
by
samzenpuson Friday May 02, 2014 @08:08AM
from the we-did-it-our-way dept.

First time accepted submitter ElyKahn (3637855) writes "The diaspora of startups with an NSA pedigree is rapidly growing. These startups, such as Sqrrl, Virtru, and Synack, are typically security-focused and often are commercializing technology projects from the NSA. However, coming from the NSA is a dual-edged sword... the technology is world-class and cutting-edge, but they must also fight the viewpoint of some that the startups are merely a front for the NSA."

Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said. Researchers at FireEye, meanwhile, said multiple attackers are now using the exploit against XP machines, prompting the inclusion of XP systems in the patch."

Posted
by
samzenpuson Wednesday April 30, 2014 @07:44PM
from the red-light-green-light dept.

Trailrunner7 (1100399) writes "It has been a running joke in the tech industry for years that the hacking scenes in movies are, well, a joke. Hackers in hoodies pushing a few keys and taking down the power grid or causing massive traffic pileups by turning all the stoplights green at once. While those scenes provide endless entertainment for security folks, it turns out some of those attacks aren't so far-fetched. Cesar Cerrudo, a researcher and CTO at IOActive, decided to take a look at the security of some of the devices that control traffic lights and electronic signs in many cites around the world, and found that not only were the devices vulnerable to a number of attacks, but they could be exploited quite easily and perhaps could be used to spread malware from device to device. Cerrudo said that the vulnerabilities he identified can be exploited from up to a mile or two away with the right equipment."